Information Technology

A growing class of cyber criminal is playing an important role on underground marketplaces by breaching corporate networks and selling access to the highest bidder to exploit however they please.
The buying and selling of stolen login credentials and other forms of remote access to networks has long been a part of the dark web ecosystem, but according to analysis by cybersecurity researchers at Digital Shadows, there’s been a notable increase in listings by ‘Initial Access Brokers’ over the course of the last year.
These brokers work to hack into networks but rather than making profit by conducting their own cyber campaigns, they’ll act as a middleman, selling entry to networks on to other criminals, making money from the sales.
Access via Remote Desktop Protocol (RDP) is the most sought after listings by cyber criminals. This can provide stealthy remote access to an entire corporate network because by allowing attackers to start from legitimate login credentials to remotely control a computer, so are much less likely to arise suspicion of nefarious activity.
This demand – and the potential access it offers – is reflected in the price of listings, with an average selling price for access via starting at $9,765. It’s likely that the higher the price, the higher the number of machines the buyer would be able to access – providing more opportunity for exploitation.
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)    
This method of access is particularly popular among ransomware gangs, who can potentially make back what they pay for access many times over by issuing ransom demands of hundreds of thousands or even millions of dollars: $10,000 on initial access is almost nothing, if the target can be squeezed to pay a bitcoin ransom.

Expensive access listings are likely reflected in the quality of the target, Stefano De Blasi, threat researcher at Digital Shadows told ZDNet, “for example, RDP access with admin privileges and access to sensitive data.”
Selling RDP access isn’t a new trend, but the rise in remote working over the last year has seen enterprises suddenly switch to using much more RDP access, providing cyber criminals with additional avenues of attack.
Often, it’s relatively simple for the cyber criminals acting as access brokers to find insecure RDP connections with publicly available tools. And it’s still common for RDP to be set-up with easy-to-guess or default passwords. Ultimately, it’s easy money for the seller to take these details and pass them on.
Analysis of some of the most popular forums for selling RDP credentials found that education, healthcare, technology, industrial and telecommunications are the most popular targets. Organisations in any of these industries would be a potentially lucrative target for a ransomware attacker.
Cyber criminals will continue to exploit RDP as a means of breaching networks, so it’s important that organisations have a strategy to ensure the security of remote access when it’s required – that can be as simple as applying multi-factor authentication and avoiding the use of easily guessable passwords.
“In practice, the fundamentals of protecting information such as one-time complex passwords and IT monitoring practices can go a long way in thwarting most superficial attacks,” said Blasi.
MORE ON CYBERSECURITY More

The number of ransomware attacks targeting universities has doubled over the past year and the cost of ransomware demands is going up as information security teams struggle to fight off cyberattacks.
Analysis of ransomware campaigns against higher education found that attacks against universities during 2020 were up 100 percent compared to 2019, and that the average ransom demand now stands at $447,000.

More on privacy

The sharp rise in the number of ransomware attacks, combined with the six-figure sums ransomware gangs demand in exchange for the decryption key means ransomware represents the number one cybersecurity threat for universities, according to the research by tech company BlueVoyant.
SEE: Network security policy (TechRepublic Premium)
Ransomware is a problem across all sectors, but for higher education it currently represents a particular problem because the ongoing COVID-19 pandemic means that students are receiving their teaching online while many academics are also working from home.
Overstretched IT departments might not have the ability to fully address security, providing cyber criminals with an opening to exploit.
“Operating in the middle of the pandemic provides even greater opportunity for the adversary,” Austin Berglas, global head of professional services at BlueVoyant told ZDNet.

Berglas said IT staff are already busy ensuring students and staff have the necessary tools to conduct remote learning, from device configurations and the installation of new software and cameras to assisting end users that are having problems with the new technology. “These schools may not have the resources to properly secure the network,” he said.
That means that universities could be considered an easy target for cyber attackers – and the lack of IT resources, combined with students and staff being reliant on the network being available, means that many victims of ransomware attacks in higher education will consider paying a ransom demand of hundreds of thousands of dollars in Bitcoin in order to restore the network as quickly as possible.
Researchers suggest that in many cases, cyber criminals are specifically targeting universities because they perceive them to be a soft target, and one from which it is easier to extract a ransom payment than businesses in other areas, which might potentially provide more lucrative targets, but that require more effort from attackers.
According to the report, more than three-quarters of the universities studied had open remote desktop ports, and over 60% had open database ports – both of which provider cyber attackers with an entry point into networks and a means to eventually deliver and execute ransomware attacks.
SEE: Phishing: These are the most common techniques used to attack your PC
While cyberattacks and ransomware continue to pose a threat to universities – and will continue to do so even after in-person teaching resumes – there are things that can be done in order to improve cybersecurity and reduce the chances of falling victim to malicious hackers.
This includes applying multi-factor authentication across all email accounts, so if cyber criminals can breach login credentials, it’s much more difficult to exploit them for access around the network.
“Ensure multi-factor authentication using a single sign-on solution. Multi-factor authentication will prevent the majority of phishing attacks, which is one of the top ways ransomware is being deployed,” said Berglas.
It’s also recommended that universities monitor networks for abnormal behaviour, such as fast logins or logins to multiple accounts from the same location, as that could indicate suspicious activity.
MORE ON CYBERSECURITY More

Qualcomm has signed up Sophos to provide cybersecurity solutions for the next wave of 5G-enabled PCs. 

Announced on Tuesday, the US chipmaker said Sophos, a British endpoint security firm, will supply Intercept X endpoint protection software for 5G PCs. 
“The combination of Sophos Intercept X with Snapdragon compute platforms will provide users next-generation security through an always on, always connected PC environment,” the companies say. 
Sophos Intercept X is endpoint detection and threat response software, including the prevention of malicious code deployment such as ransomware. According to the firm, the Snapdragon processor series — used to power light, 5G-supportive PCs — will come in useful in combating security blackspots as the software will leverage connected standby functions. 
The cybersecurity firm says this will mean that “security investigations have fewer unknowns as data won’t be missed due to devices being offline.”
In addition, Qualcomm’s artificial intelligence (AI) engine, used to enhance connectivity, gaming, and photography, will be leveraged by Intercept X for optimization purposes. 
Security, too, should start at the hardware level. Sophos’ solution will be applied to root of trust systems in Snapdragon PCs to bolster “cryptographic integrity.”

“By working with Sophos, we are taking on-device security to a new level by enhancing their industry-leading endpoint protection with AI accelerated threat detection on our solutions,” commented Miguel Nunes, senior director of Product Management at Qualcomm. “We’re excited for Sophos to transform computing with next-generation enterprise-grade security on 5G powered Snapdragon compute platforms.”
Intercept X for Snapdragon platforms will be available in the second half of 2021.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

IBM has issued security patches designed to resolve high- and medium-severity bugs impacting the tech giant’s enterprise software solutions. 

This week, the tech giant published a set of security advisories laying out fixes for vulnerabilities that impact IBM Java Runtime, IBM Planning Analytics Workspace, and IBM Kenexa LMS On Premise. 
The first advisory addresses CVE-2020-14782 and CVE-2020-27221, two security flaws in IBM Runtime Environment Java 7 and 8 which are used by IBM Integration Designer — enterprise software used to integrate data and applications into existing business processes — in IBM’s Business Automation Workflow and Business Process Manager software suites. 
CVE-2020-14782 is a bug in Java SE’s library component that could allow attackers to compromise Java SE via multiple protocols, but this takes a sandbox environment to trigger and so is considered difficult to exploit. 
CVE-2020-27221, however, is of far more concern and has been issued a CVSS base score of 9.8, a critical rating. This stack-based buffer overflow vulnerability relates to Eclipse OpenJ9 and could be used by remote attackers to execute arbitrary code or cause an application crash. 
The second advisory focuses on IBM Planning Analytics Workspace, a component of Planning Analytics, the firm’s collaboration and management planning software. In total, five vulnerabilities that impact the software have been resolved, including a Node.js HTTP request smuggling issue (CVE-2020-8201), CVE-2020-8251 — a Node.js denial of service flaw — and a Node.js buffer overflow bug, CVE-2020-8252, that could be exploited by attackers to execute arbitrary code. 
Two further vulnerabilities, a data integrity weakness that can be triggered via XML external entity (XXE) attacks in FasterXML Jackson Databind (CVE-2020-25649), and CVE-2020-4953, a problem in Workspace that could allow remote — but authenticated — attackers to steal sensitive data exposed in HTTP responses — have also been tackled.

IBM also posted a security advisory describing vulnerabilities affecting IBM Kenexa LMS On Premise, an enterprise learning management system. In total, five low-impact bugs have been patched, all of which relate to the use of Java SE and could lead to problems including denial of service and potential data theft if combined with other attack vectors. 
Last week, IBM issued security bulletins for IBM Spectrum Symphony 7.3.1 and IBM Spectrum Conductor 2.5.0 and upgrades to third-party libraries that are susceptible to a wide range of vulnerabilities.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Keybase has resolved a security flaw in the messaging client that preserved image content in the cache for cleartext viewing.

The security-focused end-to-end encrypted chat app, which was acquired by remote videoconferencing tool developer Zoom in May last year, contained a vulnerability that could have compromised private user data. 
Tracked as CVE-2021-23827, the bug is described as an issue which “allows an attacker to obtain potentially sensitive media (such as private pictures) in the cache and uploadtemps directories.”
“It fails to effectively clear cached pictures, even after deletion via normal methodology within the client, or by utilizing the “Explode message/Explode now” functionality,” the CVE description reads. 
Identified by John Jackson, the penetration tester and Sakura Samurai founder said in a blog post on Monday that Keybase clients before 5.6.0 on Windows and macOS, and before 5.6.1 on Linux, are impacted. 
Jackson examined the client and saw that inside the Keybase uploadtemps and cache directories, photos that had previously been pasted into conversations were available and were not encrypted. Even if a user had set the content to ‘explode’ or delete, the cache still contained residual image files as Keybase failed to adequately clear them. 
On Mac machines, all it took to recover this content was to view the directory, but on Windows, image file extensions would need to be changed to .png or .jpg. This does mean that the issue remains local; however, even local vulnerabilities need to be patched rapidly by services that promote themselves as privacy-centric. 

“An attacker that gains access to a victim machine can potentially obtain sensitive data through gathered photos, especially if the user utilizes Keybase frequently,” Jackson said. “A user, believing that they are sending photos that can be cleared later, may not realize that occasionally pasted photos are not cleared from the cache and may send photos of credentials, etc, to friends or may even send other sensitive data. The photos then can be stored insecurely on a case-by-case basis.”
The vulnerability was reported through Keybase’s bug bounty program on HackerOne on January 9, 2021. A fix was issued on January 23 which resolved the bug and also cleared out all of the images on clients that should have been previously wiped. Public disclosure was held back until February 22 to give users time to apply the update and Jackson was awarded $1,000 for his report. 
Update 17.14 GMT: A Zoom spokesperson told ZDNet:
“Zoom takes privacy and security very seriously and appreciates vulnerability reports from researchers. We addressed the issue identified by the Sakura Samurai researchers on our Keybase platform in version 5.6.0 for Windows and macOS and version 5.6.1 for Linux. Users can help keep themselves secure by applying current updates or downloading the latest Keybase software with all current security updates.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Transport for New South Wales (TfNSW) has confirmed being impacted by a cyber attack on a file transfer system owned by Accellion.  
The Accellion system was widely used to share and store files by organisations around the world, including Transport for NSW, the government entity said on Tuesday afternoon.
“Before the attack on Accellion servers was interrupted, some Transport for NSW information was taken,” it wrote.
TfNSW said Cyber Security NSW is managing the state government investigation with the help of forensic specialists. 
“We are working closely with Cyber Security NSW to understand the impact of the breach, including to customer data,” it said.
It said the breach was limited to Accellion servers and no other TfNSW systems have been affected, including those related to driver’s licence information or Opal data.
“We recognise that data privacy is paramount and deeply regret that customers may be affected by this attack,” TfNSW said.

The Australian Securities and Investments Commission (ASIC) in January said one of its servers was breached earlier in the month in relation to Accellion software used by the agency to transfer files and attachments.
Accellion was also used as the vector to breach the Reserve Bank of New Zealand (RBNZ) earlier last month.
Accellion recently announced the end-of-life for its FTA product after the software has been abused in recent attacks to breach many companies and government agencies across the world since December 2020.
The NSW government is not new to breach notifications. In April 2020, Service NSW, the state government’s one-stop shop for service delivery, experienced a cyber attack that compromised the information of 186,000 customers. Following a four-month investigation that began in April, Service NSW said it identified that 738GB of data, which comprised of 3.8 million documents, was stolen from 47 staff email accounts.
It was also revealed in September that information on thousands of NSW driver’s licence-holders was breached as a result of an AWS cloud storage folder that had over 100,000 images being mistakenly left open.
MORE FROM NSW More

Palo Alto Networks delivered better-than-expected second quarter financial results on Monday. The cybersecurity firm reported non-GAAP Q2 earnings of $154.2 million, or $1.55 a share, on revenue of $1 billion, up from $816.7 million a year ago.

Analysts were expecting the security-software vendor to report earnings of $1.43 a share on revenue of $985.68 million.
The company’s Q2 billings grew to $1.2 billion, up 22% from the same period last year, while its deferred revenue rose 30% year over year to $4.2 billion.
“The momentum in the business continues to be strong, with second quarter revenue growth of 25% year over year to over 1 billion USD, driven by strong execution across the board,” said Palo Alto Networks CEO Nikesh Arora. “Events like the SolarStorm attack highlight the importance of cybersecurity, and Palo Alto Networks is well positioned to protect our customers with best-of-breed solutions. We are excited about the bets that we have made in SASE, Cloud and AI. Our three-platform strategy is paying off.”
In terms of guidance, Palo Alto expects third quarter EPS in the range of $1.27 to $1.29 and revenue in the range of $1.05 billion to $1.06 billion. The guidance is roughly in line with Wall Street’s consensus for EPS of $1.28 a share and revenue of $1.05 billion.
For the year the company expects revenue to range from $4.15 billion to $4.20 billion, with non-GAAP net income per share in the range of $5.80 to $5.90. The EPS guidance incorporates net expenses related to the company’s proposed acquisition of Bridgecrew, using 99 million to 101 million shares.
The company’s stock fell more than 3% in after-hours trading.

Tech Earnings More

Image: FireEye
The attacks using zero-days in Accellion FTA servers that have hit around 100 companies across the world in December 2020 and January 2021 have been carried out by a cybercrime group known as FIN11, cyber-security firm FireEye said today.
During the attacks, hackers exploited four security flaws to attack FTA servers, install a web shell named DEWMODE, which the attackers then used to download files stored on victim’s FTA appliances.
“Out of approximately 300 total FTA clients, fewer than 100 were victims of the attack,” Accellion said in a press release today. “Within this group, fewer than 25 appear to have suffered significant data theft.”
But FireEye says that some of these 25 customers have now received ransom demands following the attacks on their FTA file-sharing servers.
The attackers reached out via email and asked for Bitcoin payments, or they’d publish the victims’ data on a “leak site” operated by the Clop ransomware gang.

Image: FireEye
FireEye, which has been helping Accellion investigate these attacks, said the attacks had been linked to two activity clusters the company tracks as UNC2546 (the zero-day exploitation on FTA devices) and UNC2582 (the emails sent to victims threatening to publish data on the Clop ransomware leak site).
Both groups have infrastructure overlaps with FIN11, a major cybercrime gang that FireEye discovered and documented last year, which has its fingers in various forms of cybercrime operations.

FireEye says that despite the fact that FIN11 operators are now publishing data from Accellion FTA customers on the Clop ransomware leak site, these companies haven’t had any part of their internal network encrypted but are rather victims of a classic name-and-shame extortion scheme.
Security podcast Risky Business spotted the Accellion FTA companies on the Clop ransomware leak site last week, even before the FireEye report published today. Companies that had their data listed on the Clop site so far include the likes of:
Other companies that have reported network breaches due to attacks on their FTA servers (but have not had data leaked on the Clop site) also include the likes of:
Accellion to retire the old FTA servers
But while Accellion’s response to these attacks has been slow in the beginning, the company is now operating on all cylinders.
Since the attacks have begun, the company has released several waves of patches to address the bugs exploited in the attacks but has also announced its intention to retire the old FTA server software later this year, on April 30, 2021.
The company is now actively urging its customers to update to its newer Kiteworks product, which superseded the old FTA server, a file-sharing tool developed in the early 2000s that allowed companies a simple way to share files with employees and customers, at a time before products like Dropbox or Google Drive were largely available.
Due to the amount of data that has been uploaded to these servers, which were often developed with little security features in mind, FTA systems have now become a prime target for attackers.
Accellion hopes companies understand the risks they are now facing and choose to update to its newer line of products instead, and avoid having sensitive files like trade secrets, intellectual property, or personal data, leak online. More